RSS

How-To Geek

We harp on password security a lot around here and for a good reason. Security breaches are frequent and the best defense is a set of strong and varied passwords. Read on for a password refresher.

If you’re a Zappos.com or affiliate 6pm.com customer you likely received an email late last night explaining that:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on 6pm.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

Now, if you practice good password hygiene, you have nothing to worry about. You were using a single unique password for the site and even if the password file gets compromised the group responsible will find a only-for-Zappos password like “C&6!s6usWf#KvnT5″. If you’re not so good with password hygiene, the password might look more like “ThisIsTheOnlyPasswordIUseAnywhere” or, more accurately, like “balloon” or some other equally poor password.

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on Google+ if you'd like.

Comments (4)

I believe the length of “ThisIsTheOnlyPasswordIUseAnywhere” would prevent a cracker from gaining access, assuming standard encryption was used. Basically, length matters most when it comes to creating passwords. The cracker doesn’t know that you didn’t use a number or symbol and after the dictionary attacks have failed, they only have brute force methods left.

Length matters for passwords. 13+ characters not in a dictionary are the minimum, but 20+ is advisable as graphics cards become more and more powerful. I read that any 12 character password would be discovered in less than 24 hours about a year ago using GPU processing on less than a $2000 PC. It is only going to get worse, so longer passwords are important.

Many of the time-to-crack password tables on the internet were creating assuming CPU-only methods. GPUs with over 250 pipelines are exponentially faster.

I store my passwords in KeePass Portable. I’ve never used either service, but I’ve heard that the really secure passwords are the *longest* passwords – it would take a brute-force attack several years to generate the correct password. An 8- or 10-character password would be broken in a matter of hours, even if it was something like “aJ8!3k_f” … longer passwords are *definitely* better.